[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Iae94329e7abd105bf95224d28f39f4b746b9eb70

Andrew Nielsen andrew.nielsen at hds.com
Thu Sep 12 05:07:44 UTC 2013 

It would be much better to generate a self-signed cert on the fly than to allow plain text by default. The people who are truly security conscious will have the skills, discipline, and expertise to deal with a CA file. For those who don't want any security, it should be a conscious choice to turn it off. A little inconvenience with BTNS is better that OpenStack being labeled as insecure. 

Apologies if I am not using the correct reply format. 

Regards,
Drew

Sent from my iPad

On Sep 11, 2013, at 21:04, "Jeffrey Walton" <noloader at gmail.com> wrote:

>>    This adds the ability to specify a CA file that will be used to verify a
>>    HTTPS connections or insecure to specifically ignore HTTPS validation.
> CA file is good, especially if the organization is running its own PKI.
> 
> I'm not sure about the other state: no CA means plain text everything.
> 
> I'm wondering if a better choice would be to generate a self-signed on
> the fly to provide better than nothing security (BTNS).
> 
> For those who insist on plain text connections, make them shoot
> themselves in the foot by altering a configuration file.
> 
> (Sorry about the Gerrit reply. I don't know how to comment on a
> concept rather than a particular source file).
> 
> On Wed, Sep 11, 2013 at 10:07 PM,  <gerrit2 at review.openstack.org> wrote:
>> 
>> Hi, I'd like you to take a look at this patch for potential
>> SecurityImpact.
>> https://review.openstack.org/34161
>> 
>> Log:
>> commit 20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c
>> Author: Jamie Lennox <jlennox at redhat.com>
>> Date:   Mon Aug 12 13:12:27 2013 +1000
>> 
>>    Replace HttpConnection in auth_token with Requests
>> 
>>    Requests is becoming the standard way of doing http communication, it
>>    also vastly simplifies adding other authentication mechanisms. Use it in
>>    the auth_token middleware.
>> 
>>    This adds the ability to specify a CA file that will be used to verify a
>>    HTTPS connections or insecure to specifically ignore HTTPS validation.
>> 
>>    SecurityImpact
>>    DocImpact
>>    Partial-Bug: #1188189
>>    Change-Id: Iae94329e7abd105bf95224d28f39f4b746b9eb70
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list